Dashboard authentication (OpenShift)#

Introduction#

This documents the configuration settings to enable an OAuth2 proxy in front of the Aspen Mesh dashboard on an OpenShift cluster. This uses the built-in OpenShift OAuth system to ensure that only authenticated users in your organization can access the dashboard.

Setup#

To enable the proxy with default options, set .aspen-mesh-controlplane.userAuth.type to oauthOpenshift in your Aspen Mesh override values file:

aspen-mesh-controlplane:
  userAuth:
    type: oauthOpenshift

Additional Configuration#

You can specify additional OAuth configuration using .aspen-mesh-controlplane.userAuth.oauthOpenshift parameters:

aspen-mesh-controlplane:
  userAuth:
    type: oauthOpenshift
    oauthOpenshift:
      host: aspenmesh.example.com

host (string)#

(Optional) Hostname where users will log in to Aspen Mesh.

  • If provided, we will automatically configure a route named aspen-mesh-controlplane with this hostname and options to properly integrate into OpenShift’s OAuth authentication workflow.

  • If not provided, a route will not automatically be created. You must create a route named aspen-mesh-controlplane in the istio-system namespace with your preferred options, or use some other load balancer to expose the aspen-mesh-controlplane service to your users and integrate that load balancer with Openshift OAuth. Here is an example of manual route creation:

    $ oc create route edge aspen-mesh-controlplane \
        --namespace istio-system \
        --service aspen-mesh-controlplane \
        --port 19001 \
        --insecure-policy Redirect
    

Deploy#

After the configuration settings are in place, upgrade the istiod release to create the OAuth proxy service and update/create the associated resources:

$ helm upgrade istiod manifests/charts/istio-control/istio-discovery \
    --namespace istio-system \
    --values aspen-mesh-override-values.yaml \
    --wait

Authenticate via Openshift OAuth#

  1. Visit https://<DOMAIN> in your browser and you should see a button labeled “Log in with OpenShift.”

    ../_images/signin-openshift.png
  2. Click the button and complete the login process.

    ../_images/login-openshift.png

    You will be taken to Openshift to authorize the permissions requested by the aspen-mesh-controlplane service account.

    ../_images/authorize-openshift.png
  3. Click the “Allow selected permissions” button to access the Aspen Mesh dashboard.

  4. To log out, visit https://<DOMAIN>/oauth2/sign_in, or delete the cookies from your browser for your cluster’s domain.